Findings from a report released today by Central European University’s Center for Media, Data and Society (CMDS) indicate that the personal data of millions of Europeans have been compromised, with 89 percent of the breaches the fault of corporations rather than governments or other kinds of organizations. 24 percent of Europe-specific breaches were the result of attacks launched from the UK, and for every 100 people currently living in the UK, 200 personal records have been compromised. The full report is available for download at http://cmds.ceu.hu/article/2014-10-07/data-breaches-europe-reported-breaches-compromised-personal-records-europe-2005.
Featured Download: CISO Data Breach Guide
“This is the largest investigation of privacy breaches in Europe ever undertaken,” said Philip Howard, CEU Professor of Global Media and Communication and director of CMDS. “We looked at 350 incidents over a 10-year period, with a very focused look at the 229 incidents that directly involved the privacy of people living in Europe.”
The total population of the countries covered in this study is 524 million, and the total population of internet users in these countries is 409 million. Expressed in ratios, this means that for every 100 people in the study countries, 43 personal records have been compromised. For every 100 internet users in the study countries, 56 records have been compromised.
Howard oversaw a team of 12 students at the CEU School of Public Policy (SPP) who reviewed news stories by citizen and professional journalists describing privacy breaches around Europe. Six months of research and refining brought the total down to 229 well-verified cases representing almost every country in the EU, as well as Norway and Switzerland. Germany, Greece, Netherlands, and Norway are all countries with unusually high levels of privacy breaches.
One of the team’s main findings is that the loss of private information seems to involve organizational insiders – the people who work for the organization – more than malicious hackers. According to Howard, 57 percent of the incidents involved organizational errors, insider abuse, or other internal mismanagement (2 percent unspecified).
“In the news we hear a lot of news stories about hackers who break into systems and steal our personal information.” Howard said. “But that was the minority of incidents – far and away, most of the cases organizational errors, insider abuse, or other internal mismanagement.
Howard said the next move for public policy is mandatory reporting. “When personal records are compromised, both companies and government offices should be required to report the possible privacy breaches both to the victims and a privacy commissioner. Most people don’t know who has legitimate access to their personal records, and they deserve to know when those records have been compromised.
CMDS is the leading center of research on media, communication, and information policy in Central and Eastern Europe. Based in the School of Public Policy at Central European University, CMDS produces scholarly and practice-oriented research addressing academic, policy and civil society needs. CMDS research and activities address media and communication policy, social media and free expression, civil society and participation, fundamental communication and informational rights, and the complexities of media and communication in transition.